LEAR, Ser. No. 09/767,284, GAU 2135, Examiner P. Klimach 

REPLY TO OFFICE ACTION 

REMARKS 

Applicants appreciate the examiner making the second Office Action non-final and 
providing elaboration on the arguments asserted in the Office Action. 

In this response no claims have been amended, cancelled or added. Hence, Claims 1-24 
are pending in the application. Each issue raised in the Office Action mailed January 3, 2005 is 
addressed hereinafter. 

Claims 7-12 are canceled merely to simplify the case by reducing the number of claims, 
and not for reasons relating to prior art or patentability. 
I. ISSUES RELATING TO PRIOR ART 

A. CLAIMS 1-20 AND 23-24 

Claims 1-20 and 23-24 stand rejected under 35 U.S.C. § 103(a) as allegedly unpatentable 
over Reid et al, U.S. Pat. No. 6,182,226 (hereinafter "Reid") in view of Ray et al, U.S. Pat. No. 
6,587,455 (hereinafter "Ray"). The rejection is respectfully traversed. Claims 1-20 and 23-24 
are patentable for at least the reasons provided hereinafter. 

INDEPENDENT CLAIMS 1, 13, 19, 20, 23, AND 24 

First, each of the independent claims recites receiving information both from an address 

server and from an external binding process separate from the address server; however, the 

references fail to show both such information sources, alone or in the claimed combination. 

More precisely, as amended each of the independent claims 1, 13, 19, 20, 23 and 24 recites a 

combination that includes: 

receiving information defining one or more group lists, resource definitions, and 
definitions of users as members of one or more groups in the group lists, 
wherein the definitions include network addresses for the users, wherein the 
network addresses have been assigned by an address server; 
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receiving, from an external binding process separate from the address server, a binding 
of a network address to an authenticated user of one of the clients for which the 
policy enforcement point controls access to the network; 

updating the named group to include the bound network address of the authenticated user 
at the policy enforcement point; and 

permitting a packet flow originating from the network address to pass from the policy 
enforcement point into the network only if the network address is in the named 
group identified in one of the access controls that specifies that the named group 
is allowed access to the network 

The cited references, alone or in combination, lack at least the emphasized features. 
Regarding claim 1, for the binding feature, the Office Action recognizes (p. 3) that Reid fails to 
teach receiving a binding of a network address to an authenticated user from an external binding 
process. To make up for this deficiency, the Office Action proposes a broad definition of 
"binding" and then contends that Ray's address allocation is the same as the claimed binding. 

This is incorrect on several grounds. The Office Action states that applicant does not 
define binding a network address to an authenticated user, and then defines binding as "imposing 
an obligation." While the Office Action fails to provide any source of the suggested definition, 
"imposing an obligation" is a legal definition, not a technical definition, and is not relevant to the 
subject matter of the invention. "A technical term used in a patent document is interpreted as 
having the meaning that it would be given by persons experienced in the field of the invention 
..." Hoechst Celanese Corp. v. BP Chems. Ltd., 78 F.3d 1575, 1578, 38 USPQ 1126, 1129 (Fed. 
Cir. 1996). The Office Action errs in adopting a legal definition wholly irrelevant to the 
technical context of binding a network address to an authenticated user. 

An appropriate technical definition given Applicant's art for binding is "to make an 
association between two or more programming objects or value items for some scope of time and 
place." See WhatIS.com, http://whatis.techtarget.com/definition/0„sid9_gci211662,00.html. See 



Attorney Docket No.: 50325-0517 



11 



LEAR, Ser. No. 09/767,284, GAU 2135, Examiner P. Klimach 

REPLY TO OFFICE ACTION 

also J. Saltzer, "On the Naming and Binding of Network Destinations," IETF Network Working 
Group, Request for Comments: 1498, August 1993; J. Saltzer, "Naming and Binding of 
Objects," 60 Lecture Notes in Computer Science at 99 (Springer-Verlag, 1978) (copies submitted 
concurrently herewith). 

When a correct technical definition is adopted, the address server disclosed by Ray 
cannot correspond to the claimed external binding service. Ray teaches a DHCP server as an 
address server. Applicants teach both a DHCP server for address allocation (FIG. 1 A, DHCP 
server 134) and a separate NABR server for providing user-address bindings (FIG. 1 A, NABR 
server 130). Applicant's specification also highlights the differences in function of these 
elements. Specification, Page 1 1 lines 20-26 states, "Edge device 122 is communicatively 
coupled to a Network Address Binding Resolution (NABR) server 130, User Registration Tool 
(URT) server 132, and Dynamic Host Configuration Protocol (DHCP) server 134. NABR server 
130 is responsible for carrying out network address binding resolution to bind an authenticated 
user of a workstation, e.g., workstation 1 18, to a particular static network address such as an IP 
address. . . . DHCP server 134 is responsible for dynamically assigning network addresses to 
devices associated with authenticated end users, e.g., for workstation 118." Therefore, 
contending that Ray's DHCP server correlates to the claimed external binding service is not 
logically consistent with Applicant's disclosure. 

The DHCP server of Ray is not an external binding service. The external binding service 
persistently associates or maps an authenticated user to a particular static network address. In 
contrast, DHCP merely assigns IP addresses, but does not perform any binding or mapping. As a 
result, one of ordinary skill in the art would not correlate the DHCP server recited in Reid or Ray 
to an external binding service as claimed, or to an NABR server that performs the external 
binding process in applicant's embodiment. 
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Still further, the reliance of the Office Action on particular parts of Ray is misplaced. 

The Office Action asserts that the steps of "receiving, from an external binding process, a 

binding of a network address to an authenticated user of one of the clients for which the policy 

enforcement point controls access to the network; updating the named group to include the 

bound network address of the authenticated user at the policy enforcement point;" is expressly 

described in Ray (Col. 4, line 65 to col. 5, line 31). This is incorrect. The text cited in Ray for 

"receiving. . .a binding of a network address to an authenticated user" simply describes a method 

for a device to receive a network address from a network server when the device is added to a 

network (Col. 4, line 65 to col. 5, line 31). Ray makes no mention of "an authenticated user," or 

anything relating to authentication, as featured in Claim 1 . Further, receiving a binding of an 

authenticated user to a network address is not the same as a network address alone. Ray has no 

teaching of associating, mapping or binding an authenticated user to a network address, or 

communicating such a binding from one place to another. 

Since neither Reid nor Ray either alone or in combination teach to suggest the use of an 

external binding service, separate but in combination with an address server as claimed, the 

rejection is unsupported in the references. Reconsideration and withdrawal are respectfully 

requested. 

Next, for the claimed feature of "updating the named group to include the bound network 
address of the authenticated user at the policy enforcement point," the Office Action states that 
"the firewall saves the network address and therefore updates the group to include the new IP 
address." However, updating of a group is significantly different than saving a network address. 
The portion of Ray on which the Office Action relies merely teaches saving a network address 
received from a network device. There is no teaching or suggestion to add the network address 
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to a named group. There is no suggestion to combine the address save operation of Ray with any 
other feature or function at all. 

One point of the independent claims is to update a group definition only after receiving a 
binding that associates a network address with an authenticated user. Ray has no such 
suggestion. Ray in combination with Reid would merely provide for saving a network address as 
part of a region definition. But such a combination of references fails to provide the complete 
claimed combination, which performs the update only after receiving a binding of an address to 
an authenticated user. A combination of the cited references fails to provide the security offered 
by the claimed approach. 

"To establish prima facie obviousness of a claimed invention, all the claim limitations 
must be taught or suggested by the prior art." In Re Royka, 180 USPQ 580; MPEP § 2143.03. 
However, the cited prior art does not teach or suggest the foregoing features of each of the 
independent claims. Therefore, the Office Action has failed to present a prima facie case under 
35 U.S.C. 103, and the rejection of Claim 1, 13, 19, 20, 23, and 24 is unsupported. 
Reconsideration is respectfully requested. 

CLAIMS 2-12 AND 13-18 

Claims 7-12 are canceled herein, without prejudice or disclaimer, but the rejection thereof 
is moot. 

Claims 2-6 all depend from Claim 1 and include all of the limitations of Claim 1. 
Therefore, Claims 2-6 are patentable over Reid and Ray for at least the reasons set forth herein 
with respect to Claim 1 . 

Furthermore, Claims 2-6 recite additional limitations that independently render them 
patentable over Reid and Ray. For example, Claim 5 recites "wherein the steps of receiving a 
binding of a network address to an authenticated user of a client for which the policy 
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enforcement point controls access to the network comprises the steps of receiving an Internet 

Protocol (IP) address for the user from a network address binding resolution (NABR) process." 

Nothing in Reid or Ray recites the use of a NABR process for the binding process described in 

Claim 1 . The Office Action contends at page 1 1 that this feature is shown in Ray col. 6, line 66 

to col. 7, line 7. This is incorrect. Ray has no such disclosure. The term "NABR" does not 

appear in the cited passage. For this reason, the rejection of Claim 5 must be withdrawn. 

As another example, Claim 6 recites determining that the user has discontinued use of the 
client, and deleting the network address to which the user is bound from each named group of 
each policy enforcement point of the network. The Office Action refers to Reid col. 15, lines 29- 
49, but this passage does not teach deleting a bound address from a region in response to 
determining that a user has discontinued using a client. This difference is fundamental. For this 
reason, the rejection of Claim 6 must be withdrawn. 

Claims 13-18 include limitations similar to Claims 1-6, except in the context of 
computer-readable media. Therefore, Claims 13-18 are patentable over Reid and Ray for at least 
the reasons set forth herein with respect to Claims 1-6, 

CLAIMS 21 AND 22 

Stewart and Stevens are cited to show the ASAP protocol and the DNS process, 
respectively, with regard to Claims 21 and 22. However, neither Stewart nor Stevens teach using 
ASAP or DNS for receiving a binding of a network address to an authenticated user, when the 
term "binding" is properly defined and construed as described above. 

Further, Claims 21 and 22 each depend from an independent claim that has the features 
identified above as distinct from Reid and Ray. Neither Stewart nor Stevens cures these 
deficiencies of the base references. Therefore, a combination of Stewart or Stevens with Reid 
and Ray cannot provide the complete combination that is claimed. 
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II. CONCLUSIONS & MISCELLANEOUS 

In view of the foregoing, reconsideration and withdrawal of the rejection of Claims 1-20 
and 23-24 is respectfully requested. Applicants respectfully submit that all of the pending claims 
are now in condition for allowance. Therefore, the issuance of a formal Notice of Allowance is 
believed next in order, and that action is most earnestly solicited. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

A petition for extension of time, to the extent necessary to make this reply timely filed, is 
hereby made. If applicable, a law firm check for the petition for extension of time fee is enclosed 
herewith. If any applicable fee is missing or insufficient, throughout the pendency of this 
application, the Commissioner is hereby authorized to any applicable fees and to credit any 
overpayments to our Deposit Account No. 50-1302. 



Respectfully submitted, 



HICKMAN PALERMO TRUONG & BECKER LLP 



Dated: March 24, 2005 




Christopher J. Palermo 
Reg. No. 42,056 



2055 Gateway Place Suite 550 
San Jose, California 95110-1089 
Telephone No.: (408) 414-1080x202 
Facsimile No.: (408)414-1076 
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